Thursday, April 12, 2012

Flashback Trojan: domain generator algorithm demystified

We already heard a lot about Flashback, a trojan targeting users of Apple's Mac OS X that has currently infected more than 600,000 machines around the world, taking advantage of a java vulnerability (CVE-2012-0507).

Information from a user perspective has already been published: you can find removal scripts, patches, detection routines, and so on, easily all over the net. However the most interesting data about this malware, from a security standpoint, is its spreading functionality.

I recently got a sample of this malware, and analyzed a bit of code. It was easy to determine the domain generator algorithm as I noticed the piece of code that set up the url:

Basically it generates a stream of characters calculated from the current date (using day, month and year), so that every day a new domain is generated and contacted.

For example, the domain of the day (12/04/2012) is:

Domain: fhnqskxxwloxl Note that this routine generates only the domain name, and not the TLD. It seems that the possible TLDs used by the malware are encrypted with strong encryption and the key is uniquely generated from the infected machine at install time, therefore I'm unable to find them as I got only the payload and not the full installer.

We can do a little research using Google anyway and it seems that the following TLDs have been observed:

.com

.net

.kz

.in

.info

Now that the domain generator algorithm is demystified you can try to register one of the domains (if you can find one still available!) and perform your own traffic analysis!